Guy Carpenter, a reinsurance brokerage firm, recently published a report highlighting emerging risks facing the (re)insurance sector. One of the three emerging risks identified was cyber risk. The other two risks were climate change and space risk. ["Cyber, Climate Change And Space Highlighted As Critical Emerging Risks In Guy Carpenter Report," gccapitalideas.com, 8 September 2013] Insurers and reinsurers are constantly looking for risks that could affect their bottom lines. Some of those risks could affect their own operations, but most of the risks identified could significantly and negatively impact the companies they insure. Cyber risks fall into both categories. Concerning cyber risks, the article states:
"Instances of cyber attacks are indeed on the rise and have reached alarming levels. Moreover, cyber risks are not isolated and are usually connected to other seemingly less obvious risks. For example, the immediate risks associated with a cyber attack can range from legal liability and computer security breaches, to privacy breaches of confidential information. Reputational damage is another concern. A company may also be vulnerable to risks to their supply chain as a result of cyber threats, as technology has become a critical enabler of a supply chain's operations. According to the report, technology failure and cyber attacks represent a greater threat to most organizations than adverse weather, fire and social unrest combined. Given the growing loss potential from supply-chain risks, companies need to ensure they understand their supply chains and offer all data to their insurers. Every company that utilizes technology and collects or handles data should therefore consider cyber insurance cover. The (re)insurance sector has reacted quickly to cyber developments and now offers coverage that addresses nearly all aspects of technology-based risk faced by modern companies."
Over the past few years, supply chain disruptions caused by natural disasters have captured most of the headlines. That's why it may come as a surprise that cyber risks to supply chains are a greater risk than adverse weather, fire, and social unrest combined.
Zurich, another insurance company, is also keeping its eye on cyber security. In an article written for Zurich, Catherine Bolgar writes, "One of the biggest threats on every executive's minds is cyber security. Businesses are more dependent than ever on information technology." ["Emerging Risks," Supply Chain Risk Insights, 8 April 2013] Bolgar continues:
"The new cyber security breaches are 'not for taking assets or taking money, but to control assets,' says James B. Rice Jr., deputy director of the Center for Transportation and Logistics at the Massachusetts Institute of Technology in Cambridge, Massachusetts. 'Many operations are managed by machines, and it's quite possible for somebody to wrest control of those.' An indication of the potential damage is the Stuxnet worm that attacked Iran's nuclear facilities in 2010. As with social media, the threat can come from disgruntled employees, pranksters or hackers. Risk also can come via suppliers. Companies evaluate risks in terms of physical operations and facilities, but they 'don’t always think about the maintenance providers that have access to service the facilities in person or remotely,' Mr. Rice says. 'That represents a significant opportunity for bad actors to take action, whether against a particular company or against infrastructure to cause a systemic risk.'"
Kirsten Doyle reports that Edna Conway, chief security strategist at Cisco, expressed a number of concerns about cyber security at a conference earlier this year. Conway was concerned that "today's supply chain is reliant on a complex network involving the movement of goods, services, funds and information across a range of parties worldwide. This makes the supply chain vulnerable to not only cyber attacks and disruptions, but also cyber espionage." ["Securing the supply chain," ITWeb, 16 May 2013] Conway told conference participants, "We have to get security right, and apply it across the supply chain. We need to think end-to-end. Introduce a security model that moves away from the endpoint. We need to capture failures within the supply chain, so the customer is never affected."
Michael de Crespigny, CEO of the Information Security Forum (ISF), an international association that focuses on cybersecurity issues and information risk management, told CSO magazine that supply chains are increasingly a target for hackers. "It's a case of the hackers identifying the weakest link and breaking in," he observed. ["Supply chain the new tempting attraction for hackers," by John P. Mello, Jr. (CSO), Network World, 10 April 2013] De Crespigny continued, "Criminals are seeing the supply chain as a means of accessing information they wouldn't otherwise be able to get from a large, proficiently run, well secured global organization." Supply chain analyst Bob Ferrari agrees with de Crespigny that supply chains are sometimes the weakest link in corporate networks. This is because those networks must often connect with other, less secure, networks. Ferrari writes, "The weakest links in global supply chains, namely supplier networks, can sometimes be the target of [cyber] attacks. Insure that your supplier audits involving strategic suppliers include some basis of insuring that adequate information security measures are in-place." ["The Growing Threat of Cyber Attacks Across the Global Supply Chain," Supply Chain Matters, 20 May 2013]
Earlier this year, you might remember reading about how the Chinese military is conducting persistent cyber attacks against both government and commercial organizations. As Kathrin Hille reported, "Western governments are ... accusing China of sponsoring aggressive, highly co-ordinated and long-running cyber espionage campaigns against the rest of the world, often in pursuit of corporate and military secrets." ["Chinese cyber crime: More crooks than patriots," Financial Times, 19 May 2013] Hille pointed out, however, that not all cyber attacks emanating from China are government sponsored. She related the story of six young Chinese men who decided to attack Foxconn on a whim. As a result, she concluded, "Governments and companies must design their defences to resist not only state-sponsored attacks but also threats from half a dozen young men looking to make a quick buck by extorting a multinational."
If there is any good news in all of this, it may be "that supply-chain attacks are harder to carry out and require more resources than other modes of attacks." At least that is what "officials from four industry groups and one research institution" told the Government Accountability Office. ["Is supply-chain risk overstated?" by Mark Rockwell, FCW, 22 May 2013] Rockwell reports that most experts agree that software vulnerabilities ("like malicious software uploaded to equipment through the Internet") greatly outweigh hardware vulnerabilities. Rockwell writes, "Three network providers told [the] GAO the most common anomalies found in equipment were caused by unintentionally bad coding in their software. A third-party testing firm, however, said the anomalies could lead to exploitable vulnerabilities." Rockwell noted that Roger Schell, senior computer scientist at the University of Southern California, spoke earlier this year at the SAS Government Leadership Summit in Washington, D.C. At that conference, Schell indicated that "software manufacturers ... are not doing nearly enough to protect their users. As evidence of the oversight, he cited a recent government-sponsored 'red team' practice attack on a U.S. armed forces computer network in which the team replaced six lines of code in a Windows XP program, resulting in loss of control of the program."
Supply chain professionals are not generally IT professionals as well. They don't write code, they are users of programs. It is up to the software providers to help make supply chains more resilient to cyber attacks. As more losses are accumulated as a result of cyber risks, I suspect that insurance companies will start identifying software providers that place their clients at greater risk of cyber attacks. With so much at stake, neither governments nor companies can treat cyber risks lightly.